Getting Data In

help with time_prefix

a212830
Champion

Hi,

I'm using data preview to test some new feeds, and while the event breaking is fine, I'm getting a warning message about needing TIME_PREFIX, and the time isn't parsing properly.

My props.conf config is:

ANNOTATE_PUNCT = false
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y/%m/%d %H:%M:%S
TIME_PREFIX = |
TRUNCATE = 999999

Here's some sample data. How would I configure the TIME_PREFIX in this situation?

STATUS | wrapper | 2014/04/15 11:26:49 | --> Wrapper Started as Service
STATUS | wrapper | 2014/04/15 11:26:49 | Java Service Wrapper Professional Edition 64-bit 3.4.0
STATUS | wrapper | 2014/04/15 11:26:49 | Copyright (C) 1999-2010 Tanuki Software, Ltd. All Rights Reserved.
STATUS | wrapper | 2014/04/15 11:26:49 | http://wrapper.tanukisoftware.org
STATUS | wrapper | 2014/04/15 11:26:49 | Licensed to VMware Global, Inc. for VMware vCenter Inventory Service
STATUS | wrapper | 2014/04/15 11:26:49 |
STATUS | wrapper | 2014/04/15 11:26:49 | Launching a JVM...
INFO | jvm 1 | 2014/04/15 11:26:49 | WrapperManager: Initializing...
INFO | jvm 1 | 2014/04/15 11:26:59 | Apr 15, 2014 11:26:59 AM org.apache.catalina.core.AprLifecycleListener init
INFO | jvm 1 | 2014/04/15 11:26:59 | INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on
the java.library.path: ../lib;../../bin
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:26:59 AM org.apache.coyote.AbstractProtocol init
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-10080"]
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:26:59 AM org.apache.coyote.AbstractProtocol init
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-10443"]
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:27:00 AM org.apache.catalina.core.StandardService startInternal
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Starting service Tomcat
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:27:00 AM org.apache.catalina.core.StandardEngine startInternal

Tags (2)
1 Solution

kristian_kolb
Ultra Champion
TIME_PREFIX = ([^|]+\|){2}

Should do it. One or more non-pipe characters followed by a pipe, repeated twice. Can also be written:

TIME_PREFIX = [^|]+\|[^|]+\|

/K

View solution in original post

kristian_kolb
Ultra Champion
TIME_PREFIX = ([^|]+\|){2}

Should do it. One or more non-pipe characters followed by a pipe, repeated twice. Can also be written:

TIME_PREFIX = [^|]+\|[^|]+\|

/K

a212830
Champion

Perfect. Thanks.

0 Karma

sundarrajan
Path Finder

was the sourcetype is tomcat:runtime:log? or is it different? please let me know how you managed the sourcetype

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...